Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


238 posts

Master Geek
+1 received by user: 33

Lifetime subscriber

Topic # 236053 15-May-2018 19:57
Send private message quote this post

Hi, i have been stuffing around with my working network to make administration a bit easier. How i would like it to work is have my ER Lite setup so it becomes the DHCP for all my vlans and then have the cambium access points centrally managed via the cloud admin tool. My problem at the moment is that everything on VLAN 1 is working fine but a seperate VLAN (30) does not appear to work as expected. The wifi client just gets stuck on trying to retrieve IP .

 

The E600 is set up as follows:

 

ACL:

 

 

Trunk:

 

 

VLAN:

 

 

 

 

On my DLINK switch:

 

 

And finally, on the erlite:

 

firewall {
all-ping enable
broadcast-ping disable
group {
network-group IOT_VLAN_BLOCK_NETS {
description "Drop IoT traffic to other VLANs"
network 192.168.1.0/24
network 192.168.20.0/24
}
network-group LAN_NETWORKS {
description "RFC1918 LAN Networks"
network 192.168.0.0/16
network 172.16.0.0/12
network 10.0.0.0/8
}
network-group VIDEO_VLAN_BLOCK_NETS {
description "Drop Video Camera traffic to other VLANs"
network 192.168.20.0/24
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable

name IOT_WIFI_PROTECT_IN {
default-action accept
rule 10 {
action accept
description "Accept IoT WiFi Established/Related"
protocol all
state {
established enable
related enable
}
}
rule 30 {
action drop
description "Drop IOT_VLAN_BLOCK_NETS"
destination {
group {
network-group IOT_VLAN_BLOCK_NETS
}
}
protocol all
}
}
name IOT_WIFI_PROTECT_LOCAL {
default-action drop
rule 10 {
action accept
description "Accept DNS"
destination {
port 53
}
protocol udp
}
rule 20 {
action accept
description "Accept DHCP"
destination {
port 67
}
protocol udp
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}

rule 30 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
options {
mss-clamp {
mss 1412
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
description "Internet (PPPoE)"
duplex auto
pppoe 0 {
default-route auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
mtu 1492
name-server auto

}
speed auto
}
ethernet eth1 {
address 192.168.1.1/24
description Local
duplex auto
speed auto
vif 30 {
address 192.168.30.1/24
description IoT
firewall {
in {
name IOT_WIFI_PROTECT_IN
}
local {
name IOT_WIFI_PROTECT_LOCAL
}
}
mtu 1500
}
}
ethernet eth2 {
address 192.168.2.1/24
description "Local 2"
disable
duplex auto
speed auto
}
loopback lo {
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth1
wan-interface eth0
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN1 {
authoritative enable
subnet 192.168.1.0/24 {
default-router 192.168.1.1
dns-server 192.168.1.1
domain-name xxxxxl
lease 86400
start 192.168.1.38 {
stop 192.168.1.243
}
}
}
shared-network-name VLAN30_IOT {
authoritative disable
subnet 192.168.30.0/24 {
default-router 192.168.30.1
dns-server 192.168.30.1
lease 86400
start 192.168.30.50 {
stop 192.168.30.100
}
}
}
static-arp disable
use-dnsmasq enable
}
dns {
forwarding {
cache-size 400
listen-on eth1
listen-on eth1.30
name-server 192.168.1.1
name-server 1.1.1.1
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 1 {
description "DNS Redirection"
destination {
port 53
}
inbound-interface eth1
inside-address {
address 192.168.1.1
port 53
}
log disable
protocol tcp_udp
source {
address 192.168.1.2-192.168.1.254
}
type destination
}
rule 5010 {
description "masquerade for WAN"
outbound-interface pppoe0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
unms {
disable
}
}

 

 

 

 

Please advise.

 

Image already added

 

 

 

 

 

 

 

Create new topic
244 posts

Master Geek
+1 received by user: 59


  Reply # 2016538 15-May-2018 21:41
Send private message quote this post

I see above you are trying to force DNS to the router ?
I do it this way:

nat {
rule 4000 {
description "Policy DNAT: Force LAN DNS Requests to Router"
destination {
address !192.168.0.1
port 53
}
inbound-interface eth1
inside-address {
address 192.168.0.1
}
log disable
protocol tcp_udp
type destination
}

And you can set an IP to ignore that rule with this:
rule 4010 {
description "OpenDNS for 192.168.0.6"
destination {
address !192.168.0.6
port 53
}
inbound-interface eth1
inside-address {
address 208.67.222.222
}
log disable
protocol tcp_udp
type destination
}

Eth0 = WAN, Eht1 = LAN
IP 192.168.0.6 uses OpenDNS DNS server every body else is forced to use System DNS servers

Probably won't help your issue above

 

I'm thinking VLAN issue somewhere along the line as Firewall looks correct


6154 posts

Uber Geek
+1 received by user: 221

Trusted
Subscriber

  Reply # 2016597 16-May-2018 06:45
Send private message quote this post

Hi, without looking through all of that config, why has vlan30 on the ER not being assigned an IP address, I doubt it will pick it up from its own DHCP server, as it is, it will not route.

 

So assign it as static (192.168.30.1) and then set the DHCP server pool to give that IP as the vlan30 gateway and adjust the pool to .10 - .250 or something like that.

 

Having never used an ER I am not sure what the config options are, but as it currently is there is no gateway for the vlan so the DHCP server on that network will not work properly.

 

Edit: also on the Dlink, is there a trunk port to connect to Eth1 of the ER, the config as shown does not show that. And, the WAP I assume this is on port2 of the switch, so whats the mgmt vlan of the WAP, it is common (but not always) that vlan1(untagged) is your mgmt vlan and user traffic is tagged, in your case 30.

 

Cyril

 

 


244 posts

Master Geek
+1 received by user: 59


  Reply # 2016601 16-May-2018 07:08
Send private message quote this post

cyril7:

 

Hi, without looking through all of that config, why has vlan30 on the ER not being assigned an IP address, I doubt it will pick it up from its own DHCP server, as it is, it will not route.

 

So assign it as static (192.168.30.1) and then set the DHCP server pool to give that IP as the vlan30 gateway and adjust the pool to .10 - .250 or something like that.

 

Having never used an ER I am not sure what the config options are, but as it currently is there is no gateway for the vlan so the DHCP server on that network will not work properly.

 

Cyril

 

I think:

default-router 192.168.30.1

Takes care of that

 

My thoughts are some where the VLAN is not right, either on AP or Switch as ERL3 looks right


6154 posts

Uber Geek
+1 received by user: 221

Trusted
Subscriber

  Reply # 2016623 16-May-2018 08:15
Send private message quote this post

Doh, missed that, there are mulitple stanza's that could probably be better in one that distributed across multiple entries, so makes it a bit cumbersome to read.

 

Cyril


6154 posts

Uber Geek
+1 received by user: 221

Trusted
Subscriber

  Reply # 2016624 16-May-2018 08:15
Send private message quote this post

Doh, missed that, there are mulitple stanza's that could probably be better in one that distributed across multiple entries, so makes it a bit cumbersome to read.

 

Cyril




238 posts

Master Geek
+1 received by user: 33

Lifetime subscriber

  Reply # 2016640 16-May-2018 08:46
Send private message quote this post

Thanks everyone, iam starting to lean towards a switch issue. The dlink appears to lock up if i attempt to use 802.1Q and a hard reset is the only thing that gets it working again. Will pick up a unifi switch this afternoon and give it another go.

 

Image already added

 

 

 

 

 

 

 



238 posts

Master Geek
+1 received by user: 33

Lifetime subscriber

  Reply # 2017221 16-May-2018 21:30
Send private message quote this post

Quick update..set up vlan trunking on my new unifi switch and it worked as expected. Is there a way to configure the unifi so only the cambium is allowed to patch into that port? Want to stop ppl from just pluggin in their laptop :)

 

Image already added

 

 

 

 

 

 

 

6154 posts

Uber Geek
+1 received by user: 221

Trusted
Subscriber

  Reply # 2017277 17-May-2018 06:24
Send private message quote this post

Hi, you could use mac-filtering, alternatively most of us lock the cabinets.

 

Cyril


Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

IBM leads Call for Code to use cloud, data, AI, blockchain for natural disaster relief
Posted 25-May-2018 14:12


New FUJIFILM X-T100 aims to do better job than smartphones
Posted 24-May-2018 20:17


Stuff takes 100% ownership of Stuff Fibre
Posted 24-May-2018 19:41


Exhibition to showcase digital artwork from across the globe
Posted 23-May-2018 16:44


Auckland tops list of most vulnerable cities in a zombie apocalypse
Posted 23-May-2018 12:52


ASB first bank in New Zealand to step out with Garmin Pay
Posted 23-May-2018 00:10


Umbrellar becomes Microsoft Cloud Solution Provider
Posted 22-May-2018 15:43


Three New Zealand projects shortlisted in IDC Asia Pacific Smart Cities Awards
Posted 22-May-2018 15:14


UpStarters - the New Zealand tech and innovation story
Posted 21-May-2018 09:55


Lightbox updates platform with new streaming options
Posted 17-May-2018 13:09


Norton Core router launches with high-performance, IoT security in New Zealand
Posted 16-May-2018 02:00


D-Link ANZ launches new 4G LTE Dual SIM M2M VPN Router
Posted 15-May-2018 19:30


New Panasonic LUMIX FT7 ideal for outdoor: waterproof, dustproof
Posted 15-May-2018 19:17


Ryanair Goes All-In on AWS
Posted 15-May-2018 19:14


Te Papa and EQC Minecraft Mod shakes up earthquake education
Posted 15-May-2018 19:12



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.